Retail Privacy and Data

The information on this page is meant to be solution-focused and helpful for Canadian retailers navigating privacy and data governance during and beyond COVID-19. If you have any questions or suggestions, please contact Kate Skipton at [email protected].


COVID-19 implications on privacy for retailers

COVID-19 has raised many privacy issues for retailers. These include what information can be collected from customers and employees; for example, during temperature checks, as retailers try to keep stores and staff safe. The pandemic has also raised information-sharing issues, such as what information can be shared for contact tracing reasons with health authorities, and it has increased cyber risk.

Read COVID-19 implications on privacy for retailers

Privacy and data for Canadian retailers

Almost daily, we see and hear headlines about data privacy concerns, data breaches and overall misuse of data. The changing retail landscape requires retailers to find a successful balance between making use of data for analytical insights and great customer experiences and maintaining appropriate protection of individuals’ personal information.

Privacy laws apply to all types of personal information that can be used to identify a person: emails, names, credit card numbers, IP addresses and facial images are only a few examples. Privacy laws may even apply when that information can only identify a person when combined with other information.

As retailers continue to utilize ecommerce and to navigate an increasingly omnichannel world, they face cyberattacks and other breach risks. They need to create increasingly data-driven operational efficiency and personalized customer experiences, while earning and maintaining consumer trust. Retailers engage with personal data through many channels, from in-person cashier conversations to ecommerce and omnichannel digital apps on mobile and other devices. Privacy and data governance can potentially apply anywhere data flows, if that data can identify someone: across the physical and digital landscapes and across many regulatory jurisdictions. Privacy and data regulatory frameworks are rapidly evolving across Canada and internationally. New data governance laws continue to come into force internationally, some with stringent requirements and enforcement provisions.

What’s happening in Canadian data privacy reform?

In May 2019, the Canadian federal government released the Digital Charter, a policy platform addressing many areas of digital life. Reforms to Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), were proposed in a white paper from the Ministry of Innovation, Science and Economic Development (ISED). Key potential changes to the PIPEDA framework included new fines and stronger powers for the federal Privacy Commissioner. Regional privacy frameworks have also been subject to provincial data privacy reform discussions in 2019 and 2020, including in British Colombia, Ontario and Quebec.

In addition to enforcement, the federal PIPEDA White Paper discussed other policies to better govern personal information. These included a risk-based approach to the possibility of individual re-identification from supposedly anonymous data; alternatives to consent for common uses of personal information for standard business activities (eg: payment processing); and more transparency where machine learning and artificial intelligence are being used to make decisions about a person.

In a related development, the creation of an entirely new federal regulator, a Data Commissioner, was mandated after the fall 2019 federal election. Then, in January 2020, a senior Competition Bureau official stated that, “the issues of privacy and deceptive marketing practices intersect in the online marketplace…When firms make false or misleading statements about the type of data they collect, why they collect it, and how they will use, maintain and erase it, we will take action.” 

In May 2020, the Commissioner of Competition in Canada levied a $9M fine against Facebook for deceptive marketing about privacy. Retailers making privacy claims that they cannot back up if asked may wish to re-examine their practices, e.g. if you say you’re not sharing information, don’t share it; use it for only the purpose you collected it, etc. View privacy-oriented analysis of Competition Bureau decision.

The necessity of responding to COVID-19 has, understandably, diminished some of the momentum that was driving Canadian privacy reforms.

Read more:

Privacy resources for retailers

Retail Data and Privacy Bulletins (RCC members only)

The Retail Data and Privacy Bulletin is a monthly email newsletter itemizing data governance policy, legal and other developments specifically for Canadian retailers. Launched in late 2019, the bulletin was catalyzed by the need to update RCC members on retail-specific data privacy policy reform and retail data protection best practices.

For more information and to subscribe to the next Bulletin, members can contact [email protected].

RCC Guidebook: How does the GDPR affect Canadian retailers? (RCC members only)

Europe’s General Data Protection Regulation (GDPR) is a privacy regulation that was launched in 2018. If your business has customers or even website visitors from Europe, then you may fall under the GDPR’s scope. The GDPR’s large fines (up to 20M Euro or 4% of a firm’s worldwide annual turnover, whichever is highest), global reach and influence on Canadian federal and provincial privacy reform make it relevant to Canadian retailers. RCC’s GDPR guidebook covers GDPR for Canadian retailers.

View GDPR guidebook

Guiding Principles on Privacy for Retailers in Canada (RCC members only)

Protecting your business and your customers’ personal information against the threats of cyber-breaches and criminal activities is paramount in today’s retail environment. The purpose of this paper is to clarify the guiding principles of the Personal Information and Protection of Electronic Documents Act (PIPEDA) and the practical applications associated with those principles. It also includes guidelines related to the sharing of information between organizations and guidelines associated with the request for identification for customers.

Download white paper

Privacy Committee (RCC members only)

The Privacy Committee is comprised of retail professionals interested in and responsible for the areas of data governance and privacy. The purpose of the committee is to share best practices and information related to data governance and privacy and to help members stay ahead of the curve on issues that impact the industry.

Inquire about joining and view more RCC committees

Federal requirements on data breach record-keeping and reporting

lock on a keyboard

As of November 1, 2018, retailers must notify the federal Office of the Privacy Commissioner (OPC) if they experience a data breach that creates a “real risk of significant harm” (RROSH) to the individuals whose personal information is affected. Retailers must also record how they assess whether or not a data breach is serious enough to meet the RROSH standard and require notification.

Find out more

How American retailers use consumer data

Nearly two thirds of U.S. consumers say retailers, not the government or tech vendors, are responsible for data privacy, according to a 2019 Deloitte report. Most U.S. consumers think that retailers use their personal data for target marketing. In fact, the top three consumer data uses by U.S. retailers are to:

  • Increase operational efficiencies
  • Improve product selection
  • Enhance in-store services or experiences.

Consumer journey steps in a data-driven, American retail store may now include mobile phone location data gathering, with AI assistants generating product recommendations and push notifications to personal devices while customers walk around brick-and-mortar stores.

View report

De-identifying personal data in big datasets

Many companies including retailers analyze large volumes of data routinely (“big data”). De-identifying personal information in large datasets is often mentioned as a way to protect privacy. Also called anonymization, effective de-identification means rendering it impossible to identify an individual from the information a dataset contains about them.

However, in practice, rapidly evolving data analytics technologies make it challenging to have confidence that de-identifying any dataset can be permanently effective. This is one of several complex new realities driving Canadian and international privacy and data governance reform. Canadian non-profit CANON is an international resource that covers the challenges posed by anonymization and lists international anonymization guidance.

View CANON resources

Big data in retail

How do AI and machine learning challenge traditional Canadian privacy frameworks?

Effective data governance reform is challenging in part because some of the technologies underlying the “data-driven” world handle personal information in paradigm-shifting new ways. In the case of AI and machine learning, this paradigm shift presents itself essentially for two reasons: (1) these programs can analyze much larger and more complex datasets, including unstructured data (eg: audio, image, video and text; unstructured data comprises 80% of enterprise data), and (2) machine learning programs can teach themselves new insights and make decisions based on what they learn.

The ways these technologies can process an individual’s personal data challenge long-held privacy principles like transparency and purpose-based consent. They raise new possibilities and challenges for how data privacy frameworks can still implement those principles in ethical and economically viable ways.

As a result, legal and regulatory reform pertaining specifically to these technologies has been and continues to be under discussion in Canada and internationally. AI’s predictive capacities make it useful to retailers in many ways, eg: to better manage inventory and supply chains.

View more info on AI and privacy

View March 2020 federal Privacy Commissioner AI consultation document.

View ISED PIPEDA White Paper containing discussion of AI and machine learning reform

View info on AI and inventory

Where can I learn more on public policy issues in Canadian data governance that affect the broader business community, not just retail?

The Business Council’s 2019 Data-Driven Issues Paper provides a thorough overview of the public policy issues facing Canadian data governance policy makers. It delves into privacy elements at issue in the PIPEDA reform and discusses other data governance areas that affect retailers, including cybersecurity, cross-border data flows and interoperability. Broadly, it puts public policy on data in context from a business standpoint.

View Issues Paper

Contact Kate Skipton, Senior Policy Analyst, at [email protected] for more information on:

  • Privacy and Data Committee for RCC members
  • To receive Retail Privacy and Data Bulletins
  • Consultation Submissions on transborder data flows (OPC), PIPEDA reform (ISED), AI regulation (OPC), Ontario Data Strategy (ON MGCS)

Be heard. Save money. Stay informed.

Become a member